b'  Office of Inspector General\n\n\nReview of the Unauthorized Disclosure\n  of a Confidential Staff Draft of the\n        Volcker Rule Notice of\n        Proposed Rulemaking\n\n\n\n                 \xe2\x80\xa2                 \xe2\x80\xa2\n\n\n\n\n   Board of Governors of the Federal Reserve System\n\n\n                                                July 2012\n\x0c                                           July 31, 2012\n\n\nChairman Ben S. Bernanke\nBoard of Governors of the Federal Reserve System\nWashington, DC 20551\n\nDear Chairman Bernanke:\n\n      Enclosed is a copy of our report evaluating whether the staff of the Board of Governors of\nthe Federal Reserve System (Board) or the Federal Reserve Bank of New York (FRB-NY) had\nknowledge of, or played a role in, the unauthorized disclosure of a confidential staff draft of the\nVolcker Rule notice of proposed rulemaking. As part of our review, we also assessed the\nBoard\xe2\x80\x99s information-sharing practices for rulemaking activities.\n\n      Although our review identified several apparent instances of unauthorized disclosures that\noccurred during the rulemaking process, we did not find any evidence to indicate that these\ndisclosures originated at the Board or at FRB-NY. Nonetheless, we identified three\nrecommendations for improving information-sharing controls and procedures for future\nrulemaking activities.\n\n      We provided a copy of our report for review and comment to the Board\xe2\x80\x99s General Counsel;\nthe Directors of the Divisions of Banking Supervision and Regulation, Research and Statistics, and\nInformation Technology; and FRB-NY\xe2\x80\x99s Senior Vice President of Markets. The General Counsel\nprovided a consolidated official response. With respect to our three recommendations, the\nGeneral Counsel indicated that \xe2\x80\x9cserious consideration\xe2\x80\x9d will be given to recommendations 1 and 2\nand that actions are being taken to address recommendation 3. Our evaluation of those responses\nfollows each recommendation in the report. The consolidated official response is included in\nappendix 2 of this report. We will follow up on actions taken to implement each recommendation.\n\n     We appreciate the cooperation that we received from Board and FRB-NY staff during our\nreview. The principal contributors to this report are listed in appendix 3. This report will be\n\x0cChairman Bernanke                             2                                  July 31, 2012\n\n\nadded to our public website and will be summarized in our next semiannual report to Congress.\nPlease contact me if you would like to discuss this report or any related issues.\n\n                                          Sincerely,\n\n\n\n                                         Mark Bialek\n                                      Inspector General\n\nEnclosures\ncc: Vice Chair Janet L. Yellen\n     Governor Elizabeth A. Duke\n     Governor Daniel K. Tarullo\n     Governor Sarah Bloom Raskin\n     Governor Jerome H. Powell\n     Governor Jeremy C. Stein\n     Mr. Scott G. Alvarez\n     Mr. Michael S. Gibson\n     Ms. Sharon Mowry\n     Mr. William C. Dudley\n     Ms. Patricia C. Mosser\n\x0c Office of Inspector General\n\nReview of the Unauthorized Disclosure\n of a Confidential Staff Draft of the\n       Volcker Rule Notice of\n       Proposed Rulemaking\n\n\n\n\n Board of Governors of the Federal Reserve System\n\n\n\n                                            July 2012\n\x0c\x0cAbbreviations\n\nThe Agencies           The Board of Governors of the Federal Reserve System, the Federal\n                       Deposit Insurance Corporation, the Office of the Comptroller of the\n                       Currency, the Securities and Exchange Commission, and the\n                       Commodity Futures Trading Commission\nBanking Entities       Insured depository institutions, bank holding companies, and their\n                       subsidiaries or affiliates\nBoard                  Board of Governors of the Federal Reserve System\nBS&R                   The Board\xe2\x80\x99s Division of Banking Supervision and Regulation\nDodd-Frank Act         Dodd-Frank Wall Street Reform and Consumer Protection Act\nFDIC                   Federal Deposit Insurance Corporation\nFRB-NY                 Federal Reserve Bank of New York\nFSOC                   Financial Stability Oversight Council\nFSOC MOU               Memorandum of Understanding Regarding the Treatment of Non-Public\n                       Information Shared Among Parties Pursuant to the Dodd-Frank Wall\n                       Street Reform and Consumer Protection Act\nNPRM                   Notice of Proposed Rulemaking\nOCC                    Office of the Comptroller of the Currency\nOFR                    Office of Financial Research\nOGE                    U.S. Office of Government Ethics\nOIG                    Office of Inspector General\nR&S                    The Board\xe2\x80\x99s Division of Research and Statistics\nSEC                    Securities and Exchange Commission\nSEC MOU                Memorandum of Understanding Between the U.S. Securities and\n                       Exchange Commission and the Board of Governors of the Federal\n                       Reserve System Regarding Coordination and Information Sharing in\n                       Areas of Common Regulatory and Supervisory Interest\nStandards of Ethical   Standards of Ethical Conduct for Employees of the Executive Branch\nConduct\n\n\n\n\n                                              5\n\x0c\x0cTable of Contents\n\nBackground ................................................................................................................................. 9\nObjectives, Scope, and Methodology ......................................................................................... 10\nResults of Our Review ................................................................................................................ 11\n     Policies, Procedures, and Practices Relating to the Treatment of Nonpublic Information or\n            Rulemaking .................................................................................................................. 11\n     Unauthorized Disclosures of the Draft NPRM ....................................................................... 15\n     Further Analysis ...................................................................................................................... 16\n     Impact of the Unauthorized Disclosures ................................................................................. 17\n     Conclusions and Recommendations ....................................................................................... 17\nAppendixes................................................................................................................................... 23\n     Appendix 1 \xe2\x80\x93 Articles Citing Draft NPRM Content ............................................................... 25\n     Appendix 2 \xe2\x80\x93 Management\xe2\x80\x99s Response.................................................................................. 27\n     Appendix 3 \xe2\x80\x93 Principal Contributors to This Report .............................................................. 31\n\n\n\n\n                                                                       7\n\x0c\x0cBackground\nOn October 11, 2011, the Board of Governors of the Federal Reserve System (Board), the\nFederal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the\nCurrency (OCC) each issued press releases requesting public comment on a notice of proposed\nrulemaking implementing the requirements of section 619 of the Dodd-Frank Wall Street Reform\nand Consumer Protection Act (Dodd-Frank Act). 1 Section 619, which amends the Bank Holding\nCompany Act of 1956 (12 U.S.C. \xc2\xa7 1841 et seq.), contains two key prohibitions on the activities\nof insured depository institutions, bank holding companies, and their subsidiaries or affiliates\n(banking entities). 2 The first prohibition precludes banking entities from engaging in short-term\nproprietary trading of any security, any derivative, and certain other financial instruments for a\nbanking entity\xe2\x80\x99s own account, subject to certain exemptions.3 The second prohibition precludes\nbanking entities from owning, sponsoring, or having certain relationships with a hedge fund or a\nprivate equity fund, subject to certain exemptions. 4 These two prohibitions are commonly\nreferred to as the \xe2\x80\x9cVolcker Rule.\xe2\x80\x9d 5 The notice of proposed rulemaking to implement the Volcker\nRule has attracted considerable attention because its prohibitions require adjustments to the\nbusiness models of large, complex banking organizations. This notice of proposed rulemaking\nwill be referred to herein as the NPRM.\n\nIn addition to describing the substantive topics to be addressed in the rulemaking, the Dodd-\nFrank Act outlined specific requirements to implement the Volcker Rule. 6 First, it required the\nFinancial Stability Oversight Council (FSOC) to conduct a study and make recommendations for\nimplementing the provisions of section 619 by January 21, 2011. 7 The FSOC issued the study\n\n\n\n         1. Section 619 of the Dodd-Frank Act appears in Pub. L. No. 111-203, 124 Stat. 1620-31, and is codified at\n12 U.S.C. \xc2\xa7 1851. The October 11, 2011, version of the notice of proposed rulemaking linked to the press releases\nhad not been paginated or formatted for purposes of publication in the Federal Register. The notice of proposed\nrulemaking, \xe2\x80\x9cProhibitions and Restrictions on Proprietary Trading and Certain Interests In, and Relationships With,\nHedge Funds and Private Equity Funds,\xe2\x80\x9d appeared in the November 7, 2011, Federal Register. 76 Fed. Reg. 68846\n(Nov. 7, 2011).\n         2. Section 619 amends the Bank Holding Company Act of 1956 by adding a new section 13, \xe2\x80\x9cProhibitions\non Proprietary Trading and Certain Relationships with Hedge Funds and Private Equity Funds.\xe2\x80\x9d\n         3. Proprietary trading refers to trading in stocks or other financial instruments using the institution\xe2\x80\x99s own\nfunds, to profit from short-term price changes.\n         4. Hedge funds are investment vehicles that engage in active trading of securities and other financial\ncontracts. Private equity funds generally are funds that invest in companies or other less liquid investments.\n         5. Former Board Chairman Paul Volcker, while serving as the Chairman of the President\xe2\x80\x99s Economic\nRecovery Advisory Board, opined that the riskier trading activities of commercial banks and their affiliates\ncontributed to the recent financial crisis.\n         6. Dodd-Frank Act, Pub. L. No. 111-203, \xc2\xa7 619, 124 Stat. 1620, 1621-22 (amending the Bank Holding\nCompany Act of 1956 and codified at 12 U.S.C. \xc2\xa7 1851(b)).\n         7. Section 111 of the Dodd-Frank Act established the FSOC, a collaborative body chaired by the Secretary\nof the Treasury that brings together the expertise of the federal financial regulators, an insurance expert appointed by\nthe President, and state regulators. Voting FSOC members include the heads of the Department of the Treasury, the\nBoard, the OCC, the Securities and Exchange Commission, the FDIC, the Commodity Futures Trading\nCommission, the Consumer Financial Protection Bureau, the Federal Housing Finance Agency, and the National\nCredit Union Administration, as well as an independent member with insurance expertise. Among other duties, the\nFSOC is charged with identifying threats to the financial stability of the United States, promoting market discipline,\nand responding to emerging risks to the stability of the U.S. financial system.\n\n                                                           9\n\x0con January 18, 2011, and it contained 10 recommendations for implementing the Volcker Rule. 8\nSection 619 required the Board, the FDIC, the OCC, the Securities and Exchange Commission\n(SEC), and the Commodity Futures Trading Commission (collectively, the Agencies) to consider\nthe FSOC study\xe2\x80\x99s findings and jointly adopt rules to implement its provisions. The Agencies\nformed an interagency rulemaking team that met regularly from January 2011 through October\n2011 to jointly develop the NPRM.\n\nAs part of this joint rulemaking process, Board employees distributed several versions of the\nNPRM to the Agencies for deliberation, including a version labeled \xe2\x80\x9cconfidential staff draft\xe2\x80\x9d\ndated September 30, 2011. On October 5, 2011, American Banker, a banking and financial\nservices media outlet, published this nonpublic, confidential staff draft of the NPRM on its\nwebsite. The Board subsequently issued its October 11, 2011, press release to request public\ncomment on the NPRM, and the NPRM formally appeared in the Federal Register on\nNovember 7, 2011.\n\nObjectives, Scope, and Methodology\nWe conducted this review to evaluate whether Board and/or Federal Reserve Bank of New York\n(FRB-NY) staff had knowledge of, or played a role in, the unauthorized disclosure of the\nconfidential staff draft of the NPRM and to assess the Board\xe2\x80\x99s information-sharing practices for\nrulemaking activities. We conducted our fieldwork from October 2011 to March 2012 in\naccordance with the Quality Standards for Inspection and Evaluation issued by the Council of\nthe Inspectors General on Integrity and Efficiency.\n\nTo accomplish our objectives, we reviewed relevant policies, procedures, and other materials.\nBoard and FRB-NY policies on information-sharing are the same or substantially similar;\ntherefore, we focused on the Board\xe2\x80\x99s information-sharing policies. We interviewed Board\npersonnel as well as FRB-NY personnel who provided subject-matter expertise to the Board on a\nconsultative basis in support of this rulemaking effort. Specifically, we interviewed\n10 rulemaking participants from various Board divisions: 5 employees from the Legal Division,\n4 employees from the Division of Banking Supervision and Regulation (BS&R), and 1 employee\nfrom the Division of Research and Statistics (R&S). In addition, we interviewed the Board\xe2\x80\x99s\nGeneral Counsel and a staff member from the Public Affairs Office. We also interviewed 10\nFRB-NY employees who contributed to the rulemaking, including 6 employees from the\nFinancial Institution Supervision Group, 2 employees from the Legal Group, and 2 employees\nfrom the Markets Group. We also conducted a targeted analysis of certain Board rulemaking\nteam members\xe2\x80\x99 e-mail communications and phone logs.\n\n\n\n\n       8. FSOC, Study & Recommendations on Prohibitions on Proprietary Trading & Certain Relationships with\nHedge Funds & Private Equity Funds (January 18, 2011), http://www.treasury.gov/initiatives/\nDocuments/Volcker%20sec%20%20619%20study%20final%201%2018%2011%20rg.pdf.\n\n                                                    10\n\x0cResults of Our Review\nPolicies, Procedures, and Practices Relating to the Treatment of Nonpublic\nInformation or Rulemaking\nNonpublic Information\n\nWe identified standards, policies, and agreements that establish requirements for the treatment of\nnonpublic information. Specifically, the U.S. Office of Government Ethics (OGE) Standards of\nEthical Conduct for Employees of the Executive Branch (Standards of Ethical Conduct) and the\nBoard\xe2\x80\x99s information security policies address Board employees\xe2\x80\x99 handling of nonpublic\ninformation. In addition, the Board has two memorandums of understanding with other federal\nagencies regarding the treatment of nonpublic information.\n\n        Standards of Ethical Conduct Issued by the OGE\n\nThe OGE Standards of Ethical Conduct apply to executive branch employees and all Board\npersonnel. The standards prohibit any improper disclosure of nonpublic information.\nSpecifically, the standards state, \xe2\x80\x9cAn employee shall not . . . allow the improper use of nonpublic\ninformation to further his own private interest or that of another, whether through advice or\nrecommendation, or by knowing unauthorized disclosure.\xe2\x80\x9d 9 The OGE defines nonpublic\ninformation as information that an employee gains by reason of federal employment and knows,\nor reasonably should know, that it has not been made available to, or has not actually been\ndisseminated to, the general public.\n\n        The Board\xe2\x80\x99s Internal Information Security Policies\n\nThe Board Information Security Program policy contains specific classification and handling\nstandards for all printed and digital information. 10 This policy requires Board employees to\ncategorize information using the following sensitivity classification levels: (1) Public,\n(2) Internal FR, (3) Board Personnel, (4) Restricted-FR, and (5) Restricted-Controlled FR. 11\nSpecific information-handling restrictions and requirements are based upon the respective\nclassification level. Only information classified as Public may be disclosed outside the Board.\nThe Board\xe2\x80\x99s policy considers all other information as unpublished information that must be kept\n\xe2\x80\x9cconfidential\xe2\x80\x9d; unpublished information may only be disclosed to authorized Board or Reserve\nBank officers, employees, or agents, consistent with the policy.\n\nInterviewees stated that the rulemaking team categorized drafts of the NPRM circulated within\nthe Board or FRB-NY as Restricted-FR. The Board\xe2\x80\x99s Information Classification and Handling\nStandard requires that access to documents categorized as Restricted-FR must be limited to those\n\n         9. 5 C.F.R. \xc2\xa7 2635.703(a).\n         10. The Board Information Security Program is dated June 8, 2010. Its Appendix J: Information\nClassification and Handling Standard was updated on December 17, 2011.\n         11. The Board\xe2\x80\x99s Information Security Program also specifies an additional classification level: Federal\nOpen Market Committee. No documents related to this rulemaking that we reviewed received that classification.\n\n                                                        11\n\x0cBoard or Reserve Bank staff who are authorized and have a need to know for official business\npurposes. In addition, access to Restricted-FR information must be limited to as few people as\npossible, and approved encryption methods must be used when disseminating Restricted-FR\ninformation via e-mail.\n\n         Interagency Agreements Regarding the Treatment of Nonpublic Information\n\nDuring the course of our review, we identified two interagency agreements involving the Board\nthat address the treatment of nonpublic information. In July 2008, the SEC and the Board\nentered into an agreement to establish a framework for collaborating, coordinating, and sharing\ninformation in areas of \xe2\x80\x9ccommon regulatory and supervisory interest.\xe2\x80\x9d In the \xe2\x80\x9cMemorandum of\nUnderstanding Between the U.S. Securities and Exchange Commission and the Board of\nGovernors of the Federal Reserve System Regarding Coordination and Information Sharing in\nAreas of Common Regulatory and Supervisory Interest\xe2\x80\x9d (SEC MOU), the SEC and the Board\nagreed to maintain the confidentiality of all nonpublic information obtained and to not disclose\nsuch information to any person outside the SEC or the Board. Although the SEC MOU\naddresses information exchanged between the SEC and the Board, it does not apply to the other\nfederal financial regulatory agencies involved in this rulemaking.\n\nIn April 2011, the members of the FSOC established an agreement that applies to the handling of\nnonpublic information shared among the parties to the agreement in connection with FSOC\nfunctions or activities related to the Dodd-Frank Act. In accordance with the \xe2\x80\x9cMemorandum of\nUnderstanding Regarding the Treatment of Non-Public Information Shared Among Parties\nPursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act\xe2\x80\x9d (FSOC MOU),\nthe FSOC member agencies must take every reasonable step to protect and preserve nonpublic\ninformation that is shared in connection with the Department of the Treasury\xe2\x80\x99s Office of\nFinancial Research (OFR) or FSOC functions and activities. 12 The FSOC MOU creates a\npresumption of confidentiality for any materials shared between the parties to the agreement in\nconnection with OFR or FSOC functions and activities and obligates recipients to take all\nreasonable steps necessary to preserve, protect, and maintain that confidentiality. However,\nwhile the FSOC conducted the study as required by section 619 of the Dodd-Frank Act, the\nFSOC did not conduct the interagency rulemaking.\n\nThe Board\xe2\x80\x99s Policies on the Rulemaking Process\n\nWe also identified two Board policies that govern the rulemaking process. First, the Board\xe2\x80\x99s\nRulemaking Procedures\xe2\x80\x94Improving Board Regulations; Policy Statement establishes the\nprocedures to be followed internally when developing rules. However, the scope of this policy\ndoes not include interagency rulemakings. Second, the Board\xe2\x80\x99s Guidance on Public Meetings\nand Contacts Regarding the Dodd-Frank Wall Street Reform and Consumer Protection Act\nestablishes requirements for Board employee communications with outside parties regarding the\nDodd-Frank Act. According to the policy, the Board must disclose on its public website all\n\n\n         12. The Dodd-Frank Act established the OFR within the Treasury Department to improve the quality of\nfinancial data available to policymakers and to facilitate more robust and sophisticated analysis of the financial\nsystem.\n\n                                                         12\n\x0cforms of communication with outside parties regarding matters subject to a potential or proposed\nrulemaking to ensure that all rulemakings are conducted in a fair, open, and transparent manner.\nThe Dodd-Frank Act required this rulemaking to be developed on an interagency basis, and the\nabove Board policies did not apply to rulemaking team members from other agencies. While the\ninteragency rulemaking team did not establish information-sharing standards or policies specific\nto this rulemaking, Board employees indicated that there was a general understanding, based on\ndiscussions among the interagency rulemaking team members, not to disclose the drafts.\n\nThe Interagency Rulemaking Process for the NPRM\n\n        Dodd-Frank Act Requirements\n\nThe Dodd-Frank Act required the Agencies to consider the findings of the FSOC study and,\nwithin nine months of the study\xe2\x80\x99s completion, jointly adopt rules to implement section 619. 13\nAfter the FSOC published its study on January 18, 2011, the Agencies commenced the\nrulemaking process. The Board issued a press release on October 11, 2011, to request public\ncomment on the proposed rule, and the Federal Register published the NPRM on November 7,\n2011. 14\n\nAs required by the Dodd-Frank Act, the Secretary of the Treasury was responsible for\ncoordinating the interagency rulemaking efforts. 15 The Dodd-Frank Act did not otherwise\nspecify the roles and responsibilities of the Agencies. Board rulemaking participants informed\nus that each agency provided input and contributed its respective expertise and that the Board\ncentrally managed the development and distribution of the drafts.\n\n        The Board\xe2\x80\x99s Internal Rulemaking Efforts\n\nWith regard to the Board\xe2\x80\x99s internal approach to conducting this rulemaking, the Board selected\nstaff from BS&R, R&S, and the Legal Division to participate in the interagency process. The\nLegal Division provided its expertise and coordinated the Board\xe2\x80\x99s internal rulemaking efforts.\nBS&R and R&S staff provided quantitative data and their respective technical expertise to\nsupport the resolution of specific policy matters. The Board consulted with specific FRB-NY\nstaff who possessed necessary market risk, regulatory policy, and legal subject-matter expertise.\n\nWe inquired about the Board\xe2\x80\x99s process for selecting staff to participate in the rulemaking. We\nalso sought to determine the Board\xe2\x80\x99s approach to mitigating the risk of conflicts of interest\ngenerated by relationships with individuals who are not Board employees. Specifically, we\ninquired whether Board policies or procedures address the prescreening of potential rulemaking\n\n\n         13. Dodd-Frank Act, Pub. L. No. 111-203, \xc2\xa7 619, 124 Stat. 1620, 1621 (amending the Bank Holding\nCompany Act of 1956 and codified at 12 U.S.C. \xc2\xa7 1851(b)(2)(A)).\n         14. The Board\xe2\x80\x99s Regulatory Reform Project Tracking Tool acknowledges that the interagency rulemaking\neffort has not met the nine-month deadline for jointly adopting the rule.\n         15. Dodd-Frank Act, Pub. L. No. 111-203, \xc2\xa7 619, 124 Stat. 1620, 1622 (amending the Bank Holding\nCompany Act of 1956 and codified at 12 U.S.C. \xc2\xa7 1851(b)(2)(B)).\n\n\n\n                                                      13\n\x0cparticipants to avoid situations that might give rise to actual or apparent conflicts of interest.\nAlthough the Board did not have policies or procedures addressing the prescreening of potential\nrulemaking participants, staff members referenced Board policies relating to information\nhandling, guidance on public meetings and contacts regarding the Dodd-Frank Act, and ethical\nconduct guidelines that prohibit the disclosure of nonpublic information.\n\nThe Board assigned two attorneys from the Legal Division\xe2\x80\x99s Banking Regulation and Policy\nGroup to lead the Board\xe2\x80\x99s rulemaking efforts, and the Legal Division led the interagency drafting\nefforts. The Board rulemaking team held internal meetings to discuss the NPRM. The Legal\nDivision incorporated feedback from these discussions, disseminated updated drafts to Board\nrulemaking participants, and provided portions or entire copies of early draft documents to\ncertain FRB-NY staff.\n\nAs the Legal Division updated drafts of the NPRM, it labeled them by date and version number.\nThe Legal Division classified these drafts as Restricted-FR. The Legal Division stored the\nNPRM drafts on a shared network drive accessible to all employees in the Legal Division\xe2\x80\x99s\nBanking Regulation and Policy Group, including employees not participating on the rulemaking\nteam. We learned that Legal Division staff use this shared drive routinely. However, as noted\nabove, according to the Information Classification and Handling Standard, access to Restricted-\nFR information should be limited to authorized staff who have a need to know the information\nfor official business purposes. Access to such information must be limited to as few people as\npossible.\n\n       The Board\xe2\x80\x99s Interagency Coordination Efforts\n\nThroughout the NPRM drafting process, from January 2011 through October 2011, the Board\nindicated the confidential nature of the draft NPRM. According to an interviewee, the Board\xe2\x80\x99s\nrulemaking team labeled a March 2011 draft of the NPRM \xe2\x80\x9cconfidential and pre-decisional,\xe2\x80\x9d to\ndenote the nonpublic and restricted status of the draft and to indicate that it was still in\ndevelopment. Initially, the Legal Division disseminated drafts of the proposed rule via e-mail to\nall members of the interagency rulemaking team; the distribution list contained approximately 70\nemployees of the Agencies. According to interviewees, the Legal Division disseminated the\nNPRM drafts via e-mail communications that were not always encrypted. The interagency team\nexamined the proposed rule from various perspectives, including systemic risk ramifications,\nprotection of depositors, and implications regarding market conduct. The interagency\nrulemaking team discussed proposed changes during the interagency meetings until it reached\nconsensus.\n\nIn June 2011, there was an indication that interagency meeting deliberations were disclosed to a\nmedia source. As a result, in July 2011, the Board (1) narrowed the e-mail distribution list from\nthe interagency rulemaking participants to only the team leaders of the respective agencies and\n(2) communicated via e-mail to the rulemaking team that the draft NPRM remained a\n\xe2\x80\x9cconfidential work product and not for discussion or sharing externally.\xe2\x80\x9d\n\nIn September 2011, there were further indications that media sources not only had insight\nregarding interagency discussions, but also likely had access to a draft. As a result, a senior\n\n                                                 14\n\x0cattorney from the Board\xe2\x80\x99s Legal Division who was leading the drafting effort communicated the\nfollowing message via e-mail to the rulemaking team on September 30, 2011:\n\n                 PLEASE DO NOT PASS THESE DOCUMENTS ALONG TO\n                 ANYONE OUTSIDE YOUR AGENCY, and if you must pass\n                 along to others internally do so in a manner which is designed to\n                 prevent further dissemination. Leaks such as the one that has\n                 obviously occurred here are not constructive to the overall integrity\n                 or process of this rulemaking and . . . are not good public policy.\n\nCommunications with Members of the Public\n\nAs part of the rulemaking process, the Board typically conducts meetings with members of the\npublic to gather information. Board staff held more than 40 meetings with members of the\npublic, including trade associations, banking organizations, and consumer groups. Staff\nmembers noted that these external parties presented various opinions that contributed to the\nrulemaking process. For example, external parties provided insight regarding the function and\nutility of different products that could be affected by the rule. Staff members noted that during\nthese meetings they refrained from responding to questions from the external parties concerning\nthe status of the rulemaking or specific policy determinations and did not share any content from\nthe draft NPRM.\n\nAs required by the Board\xe2\x80\x99s Guidance on Public Meetings and Contacts Regarding the Dodd-\nFrank Wall Street Reform and Consumer Protection Act, the Board informed the external parties\nthat the matters discussed would be made public. In accordance with the policy and to ensure\nthat the rulemaking was conducted in a fair, open, and transparent manner, the Board posted\nsummaries of communications on the Board\xe2\x80\x99s website, including materials provided by external\nparties. 16\n\nUnauthorized Disclosures of the Draft NPRM\nUnauthorized Disclosures to the Media\n\nPrior to American Banker\xe2\x80\x99s publication of the draft NPRM on October 5, 2011, there were\nindications of unauthorized disclosures of previous draft versions of the NPRM. We reviewed\nfive articles published by various media sources that cited content from a draft, claimed to have\nviewed a previous draft, or referenced detailed information regarding the ongoing deliberations\nwithin the interagency rulemaking team. 17 For example, in one article a media source claimed to\nhave reviewed an August 2011 version of the proposed rule. Board staff members stated that\nthese articles contained specific factual information that appeared to confirm that these media\nsources had actually gained access to the nonpublic draft documents. Our interviews with Board\n\n\n         16. According to the policy, however, confidential commercial or financial information obtained from an\nexternal party may be withheld from public disclosure to the extent permitted under the Freedom of Information Act\n(5 U.S.C. \xc2\xa7 552).\n         17. See appendix 1 for a listing of the five articles.\n\n                                                       15\n\x0cand FRB-NY staff did not reveal any evidence indicating that the unauthorized disclosures of the\ndrafts published or referenced by media sources originated from within the Board or FRB-NY.\n\nMedia Inquiries to the Board\xe2\x80\x99s Public Affairs Office\n\nDuring the rulemaking process, reporters contacted the Board\xe2\x80\x99s Public Affairs Office with\nquestions regarding the rulemaking. A Public Affairs staff member noted that such inquiries are\ntypical during an anticipated rulemaking, although the volume of inquiries regarding this\nrulemaking was atypically high. This staff member stated that Public Affairs had also noted\nseveral articles that indicated that the draft NPRM may have been prematurely released even\nprior to American Banker\xe2\x80\x99s publication of the draft on October 5, 2011. In response, a Public\nAffairs staff member discussed these articles with members of the Board rulemaking team to\nassure that the team was aware of the articles. We also learned that reporters contacted the\nBoard\xe2\x80\x99s Public Affairs Office claiming that that they had reviewed a copy of the draft NPRM\nand wanted to verify its contents. A Public Affairs staff member stated that she did not provide\nany additional information in response to inquiries from reporters regarding the draft NPRM.\n\nFormer Employee Communications\n\nWe determined that a Board rulemaking participant received a copy of a nonpublic, confidential\nstaff draft of the NPRM via e-mail on the morning of October 5, 2011, from a former Board\nemployee. In this e-mail, the former Board employee requested that the Board rulemaking\nparticipant confirm whether the draft contained in the e-mail was the final version of the NPRM.\nThe Board rulemaking participant promptly forwarded the e-mail to select members of the Board\nrulemaking team. The Board rulemaking participant noted that he did not confirm or deny for\nthe former Board employee whether the document was the final draft. The former employee did\nnot disclose to the Board rulemaking participant the source or the means used to obtain the draft\nNPRM.\n\nOn the afternoon of October 5, 2011, American Banker published the confidential staff draft of\nthe NPRM on its website. This draft was not the same version that the Board rulemaking\nparticipant received via e-mail from the former employee. As part of our standard interview\nquestions, we asked Board and FRB-NY rulemaking participants to describe any possible\nconnections to American Banker; these interviewees did not identify any such connections.\n\nFurther Analysis\n\nUpon learning that a Board rulemaking participant received a copy of a nonpublic, confidential\nstaff draft of the NPRM via e-mail from a former Board employee, we referred the matter to the\nOffice of Inspector General (OIG) Investigations section. We coordinated with OIG\ninvestigators to conduct a focused review of employee phone logs and e-mail communications to\ndetermine whether unauthorized disclosures regarding the NPRM may have originated within the\nBoard. This assessment included targeted reviews of key rulemaking participants\xe2\x80\x99\ncommunications within specific time frames germane to the rulemaking effort. Our focused\nanalysis of phone logs and over 2,300 e-mail communications did not reveal any evidence\n\n\n                                               16\n\x0cindicating that the unauthorized disclosures of the drafts that were ultimately published or\nreferenced by media outlets originated from within the Board.\n\nWe also contacted the former Board employee to discuss how he/she obtained the draft. The\nformer Board employee, now working at a law firm, indicated that a client provided the draft\nNPRM to an attorney working at the firm. The former Board employee stated that the attorney\nwho received the draft NPRM was not a former Board or Reserve Bank employee. The former\nBoard employee chose not to identify the client who provided the draft NPRM to the law firm.\nIn the former Board employee\xe2\x80\x99s opinion, an attorney at the law firm receiving the draft NPRM\nfrom a client constituted a protected communication covered by the attorney-client privilege.\n\nImpact of the Unauthorized Disclosures\n\nWe assessed the unauthorized disclosure of the NPRM draft by American Banker to determine\nwhether it had any significant impact on the planned release date or content of the final NPRM.\nWith regard to the planned release date, interviewees indicated that the NPRM was not affected\nby the publication of the draft in American Banker. As discussed above, the Board requested\ncomment on the proposed rulemaking via press release on October 11, 2011, six days after the\nconfidential staff draft was published on October 5, 2011, and the NPRM formally appeared in\nthe Federal Register for public comment on November 7, 2011. Although an unauthorized\ndisclosure could have created the opportunity for external parties to attempt to influence\ndecisions regarding the final rule, Board rulemaking participants noted that no substantive\nchanges occurred after or resulted from the unauthorized disclosure.\n\nThe unauthorized disclosure to American Banker circumvented the rulemaking process by\npublishing the draft version before the intended issuance of the final NPRM. The unauthorized\ndisclosures that occurred throughout the drafting of the NPRM compromised the integrity of the\nrulemaking process. Board interviewees noted that interagency teams need trust and open\ndialogue to effectively carry out a joint rulemaking. As such, staff members noted that the\nunauthorized disclosures of the draft NPRM had a negative impact on the \xe2\x80\x9cinteragency\nrulemaking dynamic.\xe2\x80\x9d\n\nConclusions and Recommendations\n\nOur review noted several apparent instances of unauthorized disclosures that occurred during the\nrulemaking process. We did not find any evidence, however, to indicate that the unauthorized\ndisclosures originated at the Board or FRB-NY. Nonetheless, we identified three\nrecommendations for improving information-sharing controls and procedures for future\nrulemaking activities. The General Counsel\xe2\x80\x99s responses to the individual recommendations and\nour evaluation of those responses are outlined below. Appendix 2 contains the General\nCounsel\xe2\x80\x99s complete response.\n\n\n\n\n                                                17\n\x0c   1. We recommend that the Board create information-sharing guidelines applicable to\n      interagency rulemakings for distribution to the participating agencies when the\n      Board has responsibility for drafting an interagency rulemaking.\n\nIt is our understanding that over the years the federal banking agencies have developed informal\nand customary practices for sharing and controlling sensitive information as part of interagency\nrulemaking efforts. However, there are no formal written agreements or controlling standards\nconcerning the treatment of nonpublic information applicable to interagency rulemaking\nactivities. While we acknowledge that developing guidelines will not eliminate the risk of future\nunauthorized disclosures, we believe that such guidelines will serve to establish a common\nunderstanding for key terminology and expectations for the treatment of nonpublic information\nat the outset of interagency rulemaking activities.\n\nManagement\xe2\x80\x99s Response\n\nRegarding recommendation 1, the General Counsel stated the following:\n\n           The Federal Reserve and other financial institution regulators have been\n           sharing confidential information for generations. All parties involved are\n           aware of the confidentiality expectations and, as the draft report\n           acknowledges, those expectations were reiterated at various times\n           throughout the Volcker rulemaking process. There is no reason to believe,\n           either on the basis of the draft report or on the basis of other known\n           information, that the disclosure motivating this report came about because\n           the disclosing party failed to appreciate the confidential nature of the\n           information disclosed. We will discuss with other regulators whether they\n           are unclear regarding the confidentiality restrictions that apply in the\n           context of interagency rulemakings, and will consider creating guidelines\n           if clarity is lacking.\n\nOIG Evaluation\n\nOur review determined that there are no formal written agreements or standards guiding the\ntreatment of nonpublic information applicable to interagency rulemaking activities, and we\nobserved that the Board\xe2\x80\x99s rulemaking team initiated significant changes to the informal and\ncustomary interagency practices used during this rulemaking to ensure confidentiality once the\nunauthorized disclosures became evident. Specifically, the Board\xe2\x80\x99s rulemaking team limited the\ndraft NPRM distribution list to the rulemaking team leaders at the respective agencies. Prior to\nthis action, approximately 70 rulemaking participants were included in the distribution list.\nFurther, the Board communicated to the interagency rulemaking participants with increased\nspecificity regarding the need to avoid external disclosures of the draft NPRM. These actions,\nintended to tighten the interagency rulemaking information security practices, acknowledge the\nneed for heightened levels of security controls in the interagency rulemaking process. In our\nopinion, implementing recommendation 1 to create information-sharing guidelines when the\nBoard has drafting responsibility will help establish a common understanding for key\nterminology and expectations at the outset of interagency rulemaking activities.\n\n                                               18\n\x0c   2. We recommend that the Board\xe2\x80\x99s General Counsel enhance user access controls on\n      the Legal Division\xe2\x80\x99s shared drive for prospective rulemaking materials to ensure\n      that materials are appropriately restricted on a need-to-know basis and limited to as\n      few employees as possible.\n\nAlthough the Legal Division labeled the NPRM drafts as Restricted-FR, the drafts were stored\non a shared network drive accessible to all Legal Division employees within the Banking\nRegulation and Policy Group. The Legal Division limits employee user access on its shared\ndrive according to employee groups, but has not adopted similar access controls within its\nemployee groups. Therefore, certain employees within the Banking Regulation and Policy\nGroup had access to drafts of the NPRM even though they did not need access to those materials\nin the current performance of their job duties. According to the Board\xe2\x80\x99s Information\nClassification and Handling Standard, Restricted-FR information may only be shared with other\nauthorized Federal Reserve staff who have a need to know the information for official business\npurposes and access to the information must be limited to as few people as possible. Even\nthough our review did not reveal any evidence that this situation contributed to the unauthorized\ndisclosures, we believe that control enhancements would result in greater consistency with Board\npolicy. Although we learned that the Board is in the process of transitioning to new electronic\ndocument management capabilities, we believe that, in the interim, the Board\xe2\x80\x99s General Counsel\nshould enhance user access controls to appropriately restrict access for prospective rulemaking\nmaterials.\n\nManagement\xe2\x80\x99s Response\n\nRegarding recommendation 2, the General Counsel stated the following:\n\n           It is clear from discussions between the General Counsel and the Inspector\n           General that the Legal Division\xe2\x80\x99s use of the shared drive did not\n           contribute, either intentionally or unintentionally, to the unauthorized\n           disclosure of the draft Volcker NPR. In my role as General Counsel, I\n           have already placed restrictions on staff access to the information on the\n           Legal Division\xe2\x80\x99s shared drive. Those restrictions are designed to limit\n           access to information to staff assigned to, or available for assignment on,\n           regulatory projects while allowing the most effective and efficient\n           assignment of Legal Division staff to these projects. We understand that\n           the Board\xe2\x80\x99s Division of Information Technology (\xe2\x80\x9cIT\xe2\x80\x9d) is developing a\n           new system that provides more flexibility in controlling access to\n           confidential information than the current system of hard drive\n           administration. The Legal Division will work with IT to take advantage of\n           these new systems as they are developed. In the meantime, the Legal\n           Division will continue to conform to the Board\xe2\x80\x99s confidentiality\n           restrictions, will take the OIG\xe2\x80\x99s observations into account, and will consult\n           with experts in information security should any irregularities or questions\n           arise.\n\n\n\n                                                19\n\x0cOIG Evaluation\n\nAs noted in this report, for this rulemaking, the current group-level restrictions for accessing\ninformation on the Legal Division\xe2\x80\x99s shared drive were not consistent with the Board\xe2\x80\x99s\ninformation classification and handling standard. That standard indicates that Restricted-FR\ninformation \xe2\x80\x9cmay only be shared with other FR [Federal Reserve] staff who are authorized and\nhave a need to know the information for official business purposes. Access to the Restricted FR\nmust be limited to as few people as possible.\xe2\x80\x9d We made this recommendation because we\ndetermined that approximately 30 staff members in the Legal Division\xe2\x80\x99s Banking Regulation and\nPolicy group had access to the prior draft NPRMs for the Volcker Rule, even though, in our\nopinion, only 4 staff members within the group met the need-to-know standard for accessing\nthese materials. After identifying this issue, we coordinated with OIG investigators to conduct\ntargeted e-mail searches of the Legal Division employees with access to the draft NPRMs. We\ndid not identify any evidence of unauthorized disclosures. Even though we observed no\nevidence that this vulnerability contributed to the unauthorized disclosures, we maintain that\ncontrol enhancements are necessary to ensure compliance with the information classification and\nhandling standard.\n\nWe confirmed with the former Director of the Division of Information Technology and current\ndivision personnel that the recommended control change is \xe2\x80\x9ctechnologically feasible\xe2\x80\x9d and \xe2\x80\x9ceasily\nimplemented.\xe2\x80\x9d Accordingly, we continue to believe that the General Counsel should implement\nenhanced user access controls on the Legal Division\xe2\x80\x99s shared drive for prospective rulemakings\nto ensure that the division complies with the Board\xe2\x80\x99s information classification and handling\nstandard.\n\n   3. We recommend that (a) the Director of the Division of Information Technology\n      remind all Board employees of the Board\xe2\x80\x99s encryption capabilities for transmitting\n      e-mail communications to other agencies and (b) the Board\xe2\x80\x99s General Counsel\n      reiterate to Board participants in all rulemakings the need to use encryption\n      methods when e-mailing Restricted-FR documents associated with interagency\n      rulemakings.\n\nWe learned that Board staff did not always transmit the drafts of the NPRM, which were labeled\ninternally as Restricted-FR, through encrypted e-mail communications. The Board\xe2\x80\x99s Information\nClassification and Handling Standard states that Restricted-FR materials should be sent via\nencrypted e-mail. It is our understanding that the Board currently has capabilities to encrypt\noutgoing e-mails to both internal recipients and the respective agencies participating in this\nrulemaking. Even though our review did not reveal any evidence that the transmission of these\nunencrypted e-mails contributed to the unauthorized disclosures, Board staff should comply with\napplicable requirements concerning encrypted e-mail communications.\n\n\n\n\n                                              20\n\x0cManagement\xe2\x80\x99s Response\n\nRegarding recommendation 3, the General Counsel stated the following:\n\n          As the explanation accompanying this recommendation states, the\n          transmission of unencrypted emails did not, intentionally or\n          unintentionally, result in the disclosure of the draft Volcker NPR.\n          Nonetheless, the General Counsel has already communicated to the Legal\n          Division both the importance of using encryption services for transmitting\n          e-mails on an interagency basis and the appropriate method for encrypting\n          interagency e-mails (since the embedded encryption mechanism in the\n          Board\xe2\x80\x99s Lotus Notes email service used frequently by staff does not\n          encrypt e-mails transmitted outside the Federal Reserve). The Director of\n          IT has also determined to remind staff about the methods of encrypting\n          interagency messages. We also note that IT expects to implement a new\n          email system that will make encryption of documents sent outside the\n          Federal Reserve less cumbersome. The Legal Division staff has already\n          begun training on this system and will be prepared to take advantage of\n          this new encryption capability when it becomes available.\n\nOIG Evaluation\n\nThe Division of Information Technology reminded Board employees of the Board\xe2\x80\x99s encryption\ncapabilities for transmitting e-mail communications outside the Federal Reserve System in the\n2012 Information Security Awareness Training. We concur with the remainder of the General\nCounsel\xe2\x80\x99s response.\n\n\n\n\n                                              21\n\x0c\x0cAppendixes\n\x0c\x0cAppendix 1 \xe2\x80\x93 Articles Citing Draft NPRM Content\n\n\n   1. Braithwaite, Tom, \xe2\x80\x9cFears Over Exemptions to Volcker Rule,\xe2\x80\x9d Financial Times\n      (September 18, 2011).\n\n   2. Patterson, Scott, and McGrane, Victoria, \xe2\x80\x9cVolcker Rule May Lose Its Bite,\xe2\x80\x9d Wall Street\n      Journal (September 22, 2011).\n\n   3. Hopkins, Cheyenne, and Mattingly, Phil, \xe2\x80\x9cTrader Pay May Face Restrictions Under\n      Volcker Rule Mandated by Dodd-Frank,\xe2\x80\x9d Bloomberg (September 26, 2011).\n\n   4. Main, Carla, \xe2\x80\x9cTrader Pay, Rater Rules, \xe2\x80\x98Sinister\xe2\x80\x99 Insurance, EU Auditors: Compliance,\xe2\x80\x9d\n      Bloomberg (September 27, 2011).\n\n   5. Adler, Joe, Borak, Donna, and Davidson, Kate, \xe2\x80\x9cCheat Sheet: Details of the Long-\n      Awaited Volcker Rule,\xe2\x80\x9d American Banker (October 5, 2011).\n\n\n\n\n                                             25\n\x0c\x0cAppendix 2 \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                                     27\n\x0c28\n\x0c29\n\x0c\x0cAppendix 3 \xe2\x80\x93 Principal Contributors to This Report\n\nLaura R. Shakarji, Project Leader and Auditor\n\nJina Hwang, Counsel\n\nCharles M. Liuksila, Auditor\n\nMichael A. Olukoya, Auditor\n\nJennifer L. Ksanznak, Auditor\n\nLeah D. Garrison, Eric D. Shapiro, and Gabrielle Viscomi, Audit Interns\n\nMichael P. VanHuysen, Office of Inspector General Senior Manager\n\nAnthony J. Castaldo, Associate Inspector General for Inspections and Evaluations\n\n\n\n\n                                                31\n\x0c'